Bug 1191446 (CVE-2015-0226)
| Summary: | CVE-2015-0226 wss4j: Apache WSS4J is vulnerable to Bleichenbacher's attack (incomplete fix for CVE-2011-2487) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, alazarot, asantos, bdawidow, bleanhar, brms-jira, ccoleman, cdewolf, chazlett, dandread, darran.lofthouse, dmcphers, epp-bugs, etirelli, felias, fnasser, grocha, gvarsami, hfnukal, huwang, jason.greene, jawilson, jbpapp-maint, jcoleman, jdetiber, jdg-bugs, jgarriso, jialiu, jkeck, jokerman, jolee, jpallich, kconner, kseifried, ldimaggi, lgao, lmeyer, lpetrovi, mbaluch, mmccomas, mweiler, mwinkler, myarboro, nwallace, pavelp, pgier, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | wss4j 1.6.17, wss4j 2.0.2 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that a prior countermeasure in Apache WSS4J for Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an exception that permitted an attacker to determine the failure of the attempted attack, thereby leaving WSS4J vulnerable to the attack. The original flaw allowed a remote attacker to recover the entire plain text form of a symmetric key.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-12 21:24:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1191455, 1196854, 1196855, 1196856, 1196857, 1196858, 1196859, 1196860, 1196861, 1196862, 1196863, 1196864, 1196865, 1196866, 1196867, 1196868, 1196869, 1196870, 1196871, 1196872, 1196873, 1196874, 1196875, 1196876 | ||
| Bug Blocks: | 1191452, 1206755, 1212496, 1232965, 1258580, 1258582, 1340536 | ||
|
Description
Vasyl Kaigorodov
2015-02-11 10:47:44 UTC
Created wss4j tracking bugs for this issue: Affects: fedora-all [bug 1191455] This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.2.0 Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.0 Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376 |